Share via


Windows Update Servicing with Write Filter

4/24/2012

Microsoft Corporation

June 2010

Summary

This technical article contains information about how to implement a Windows Update Servicing with Write Filter (WUS-WF) solution for File-Based Write Filter (FBWF) and Enhanced Write Filter (EWF) enabled Windows Embedded Standard 7 images.

Applies To

Windows Embedded Standard 7

Introduction

System Requirements

WUS-WF Solution Overview

WUS-WF Solution Files

Applying WUS-WF

Third-Party Software Updates (TPU)

WUS-WF Limitations

Conclusion

Introduction

Businesses require a servicing solution to ensure that their images have the latest security updates installed. Although larger businesses might use comprehensive enterprise update-management solutions, such as System Center Configuration Manager (SCCM) or Altiris, small-to-medium businesses are more likely to choose simpler solutions, for example, Windows Update (WU), or Windows Server Update Services (WSUS).

Unfortunately, Windows Update is not designed to be write-filter aware. The default setting of applying Windows Updates automatically is not usable if a write filter is enabled because any updates committed by Windows Update are lost when the write-filter overlay is discarded when the system restarts.

The Windows Update Servicing with Write Filter (WUS-WF) solution makes WU/WSUS a possible servicing solution if you use File-Based Write Filter (FBWF) or Enhanced Write Filter (EWF) in your images. In addition, by modifying the WUS-WF VBScript file, you can use this solution for your third-party software updates.

Note

The solutions discussed in this article work for FBWF in addition to EWF. To simplify this discussion, this technical article uses the term write filter, which applies to both. Similarly, this solution works for Windows Update and Windows Server Update Services, assuming the client is already configured to interact with a WSUS server. This technical article implicitly includes Windows Server Update Services (WSUS) when it refers to Windows Update (WU).

System Requirements

  • Windows Embedded Standard 7 system with FBWF or EWF-enabled.

  • An unprotected directory or volume.

  • A built-in Administrator account that is enabled and has a password set.
    You can do this by using following command:

    net user administrator /active:yes
    

    Alternatively, the scripts can be set to use a different user in the Administrators group, as follows:

    1. Look for the string <UserId>Administrator</UserId> in these XML files provided with this package: WindowsUpdateWithWriteFilter-Startup.xml and WindowsUpdateWithWriteFilter-Startup.xml.

    2. Replace each string with the following:

      <UserId>Your_Other_User_in_Administrators_Group</UserId>
      

      Replace the Your_Other_User_in_Administrators_Group placeholder with the name of any other user in the Administrators group.

  • The following are required packages:

    • Package Application Support\Win32 Application Runtimes and Libraries (to include Wscript.exe)
    • Package Management\System Management\System Management Utilities (to include Shutdown.exe)
    • Package Management\System Management\ System Management Administrative Tools (to include Task Scheduler)

WUS-WF Solution Overview

The WUS-WF solution checks for updates at each scheduled time, regardless of which user is logged on to the system. If updates are found, it writes an action, APPLY_UPDATES, to an action file that is named NextUpdateAction.dat in the user-specified unprotected directory. Then it disables the write filter and restarts the system.

After the system restarts, WUS-WF reads the action file to determine whether updates were found before shutdown. If updates were found, it downloads and installs them. After the update is applied, the solution writes the status UPDATES_UPTODATE to the same action file. Then it enables the write filter and restarts the system.

If the updates have license terms associated with them, the license terms are automatically accepted; however, they are saved for later review in a folder that is named SavedEULAs, in the unprotected directory.

Any logs or errors from this process are written to a log file that is named UpdateLog.log in the unprotected directory.

The following diagram shows the WUS-WF workflow.

Ff850921.4b100497-c833-47c0-8936-9d3430feace8(en-us,MSDN.10).gif

WUS-WF Solution Files

The WUS-WF solution consists of a VBScript file and two Task Scheduler XML files.

These files can be downloaded at this Microsoft Web site.

WUS-WF.vbs

WUS-WF is a VBScript file that is run by two solution tasks: WindowsUpdateWithWriteFilter-Scheduled.xml and WindowsUpdateWithWriteFilter-Startup.xml. During the scheduled run, WUS-WF checks for updates; if updates are available, it writes an update action in the action file for later reference. Then it disables the write filter and restarts the system.

During system logon, the script checks for actions recorded in the action file. In this solution, the action it takes is to apply the updates. It downloads available updates and installs them. The script is set to install only critical and security updates.

This script does not and cannot have any user interaction because it runs as part of two tasks that run with Administrator permission and in a non-interactive mode.

The script runs with the parameters as shown in the following code sample:

WUS-WF.vbs WhenToRun WriteFilterManager

    WhenToRun:          When to run the script. Either of two values: OnStartup or OnSchedule
    WriteFilterManager: Write Filter manager's name. Either of two values: Fbwfmgr or Ewfmgr

For example:

WUS-WF.vbs OnStartup EwfMgr
WindowsUpdateWithWriteFilter-Scheduled.xml

WindowsUpdateWithWriteFilter-Scheduled.xml is a task definition that checks for available windows updates at a scheduled time. The schedule can be changed to suit your environment. This task can run while any user is logged on to the system, and runs even if no one is logged on to the system. If updates are found, the write filter is disabled and the system is restarted.

WindowsUpdateWithWriteFilter-Startup.xml

This is a task definition for applying the available updates if updates are found by WindowsUpdateWithWriteFilter-Scheduled task. This task runs at startup. The updates are searched for and applied only if the WindowsUpdateWithWriteFilter-Scheduled task finds pending updates. This task can run while any user is logged on to the system, and runs even if no one is logged on to the system.

If updates are found, because the write filter was disabled by the WindowsUpdateWithWriteFilter-Scheduled task during the previous run, the updates applied by WindowsUpdateWithWriteFilter-Startup become persistent. After the updates are applied, the write filter is enabled and the system is restarted.

Applying WUS-WF

The following procedures will set up your WUS-WF solution. This will make sure that they run at the appropriate time, check for and install available updates, and operate on the appropriate folders.

Create an update directory

You must disable the write filter and create an unprotected directory so that the WUS-WF solution changes are persistent across system restarts.

To create an update directory for FBWF

  1. At a command prompt, enter the following commands to disable FBWF and restart the system:

    fbwfmgr /disable
    shutdown –r –t 0
    

    Note

    If the shutdown command is not available on the system, you must install the package Management\System Management\System Management Utilities. This package is required because this solution uses the shutdown command.

  2. After the system restarts, log on as an Administrator.

  3. At a command prompt, create an update directory; for example:

    md C:\WUS-WF
    
  4. Enable FBWF for the next system restart by using the following command:

    fbwfmgr /enable
    
  5. Add the update directory to the FBWF exclusion list; for example:

    fbwfmgr /addexclusion C: \WUS-WF
    

To create an update directory for EWF

  1. At a command prompt, disable EWF; for example:

    ewfmgr C: -disable
    
  2. For EWF, you must have an unprotected volume. You cannot have a single unprotected directory on a protected volume.

    If you do not have an unprotected volume, select a volume and unprotect it; for example:

    ewfmgr D: -disable
    
  3. Restart the system.

  4. At a command prompt, enter the following command:

    shutdown -r -t 0
    
  5. After the system restarts, log on as Administrator and create a directory in the unprotected volume. For example, at a command prompt, type the following:

    md D:\WUS-WF
    
Copy solution files and change permissions

Copy the following three solution files into the unprotected directory that you created earlier:

  • WUS-WF.vbs
  • WindowsUpdateWithWriteFilter-Scheduled.xml
  • WindowsUpdateWithWriteFilter-Startup.xml

For security reasons, change the permissions on this directory so that only Administrators and other intended users can access the files in this directory.

We recommend that Administrators should be set to Allow for Full Control access to the unprotected directory and files in this directory, and that all non-Administrator users should be set to Deny for Full Control access to the same directory and files.

Schedule updates in Task Scheduler

The following procedure will schedule the tasks to check for updates.

To set up the WindowsUpdateWithWriteFilter-Startup.xml task

  1. Click Start, All Programs, Accessories, System Tools, Task Scheduler.

  2. On the Task Scheduler menu, select Actions, Import Task….

  3. Locate the unprotected directory and select the WindowsUpdateWithWriteFilter-Startup.xml file.

  4. Click Open.

    The Create Task dialog box will be displayed.

  5. Select the Actions tab.

  6. Select the Start a program action in the list, and then click Edit.

    The Edit Action dialog box will be displayed.

  7. If you are using FBWF as your write filter, do not change any settings.

    However, if you are using EWF, change the second argument to ewfmgr.

    Do not change the first argument, OnStartup.

  8. Change the working directory to the unprotected directory that you created earlier.

  9. Click OK.

    Do not change the trigger.

  10. In the Create Task dialog box, click OK.

  11. When you are prompted, provide your Administrator credentials.

To set up the WindowsUpdateWithWriteFilter-Scheduled.xml task

  1. On the Task Scheduler menu, select Actions, Import Tasks….

  2. Locate the unprotected directory and select the WindowsUpdateWithWriteFilter-Scheduled.xml file.

  3. Click Open.

    The Create Task dialog box will be displayed.

  4. Select the Actions tab.

  5. Select the Start a program action in the list, and then click Edit.

    The Edit Action dialog box will be displayed.

  6. If you are using FBWF as your write filter, do not change any settings.

    However, if you are using EWF, change the second argument to ewfmgr.

    Do not change the first argument, OnSchedule.

  7. Change the working directory to the unprotected directory that you created earlier.

  8. Click OK.

  9. Select the Triggers tab if you want to change the scheduled time for this task.

    Note

    By default, the task is scheduled to run at 3:00 AM daily.

  10. If you want to change this time, do the following:

    1. Select the Daily trigger, and then click Edit.
    2. Change the schedule to your new requirements.
    3. Click OK.
  11. In the Create Task dialog box, click OK.

Change Windows Update settings

You must change the Windows Update settings to never check for updates. This is required when you are using the WUS-WF solution for updates (instead of using the Windows Update program).

To change Windows Update settings

  1. Click Start, All Programs, Windows Update.

  2. Select Change Settings.

  3. In the Important Updates List, select Never check for updates (Not Recommended).

  4. Click OK.

Enable the write filter and restart

Finally, you must re-enable the write filter and restart the system for your changes to take effect.

To enable the write filter and restart the system

  • If you are using FBWF, you already enabled FBWF earlier. Restart the system for the changes to take effect.

    At a command prompt, type the following:

    shutdown –r –t 0
    
  • If you are using EWF, enable EWF on the System partition and restart the system for the changes to take effect.

    At a command prompt, type the following:

    ewfmgr C: -enable
    shutdown –r –t 0
    

Third-Party Software Updates (TPU)

Users can have non-Microsoft software installed on their systems not covered by Windows Update. This software might include antivirus software, third-party data protection software, and other software that can have its own update programs. This solution can be modified to apply these updates together with Windows Update. To do this, you must be able to check for and apply updates from the third-party software programmatically using VBScript.

At the end of the WUS-WF.vbs file, there is a code block named Third Party Software Update Code. It contains two empty functions: TPUAvailable and TPUApply. To apply third-party updates using this solution, you must implement these functions. If you do not have to add updates from third-party software, you can safely ignore these functions.

TPUAvailable

Implement the TPUAvailable function to do the following to check for available updates from third-party software:

  • Return True if updates are available.
  • Make sure that there is no user interaction in this function.
  • Use the Print function to log your messages or errors in the log file that is used by this solution.
'
' This function checks if updates from third-party software are available.
'
' Arguments:
' None, but this function can be modified to take arguments if required.
'
' The function returns True if updates from third-party software are available,
'                      False otherwise
'
' You can modify this function for your third-party software to check for updates,
' But make sure there is no user interaction within this function.
'
Private Function TPUAvailable()
    TPUAvailable = False
End Function
TPUApply

Implement the TPUApply function to do the following to install the available updates from your third-party software:

  • Return False only if this function does not apply the updates.
  • Follow the return code rules in the function comments.
  • Make sure that there is no user interaction in this function.
  • Use the Print function to log your messages or errors in the log file that is used by this solution.
'
' This function applies the updates from third-party software.
'
' Arguments:
' None, but this function can be modified to take arguments if required.
'
' This function Returns True if all available updates are applied successfully, or
'                       True if updates are up-to-date; i.e., no updates are available,
'                       False otherwise
'
' You can modify this function for your third-party software to apply updates,
' But make sure there is no user interaction within this function.
'
Private Function TPUApply()
    TPUApply = True
End Function

WUS-WF Limitations

This solution cannot install updates that display a setup user interface (UI). However, the log file keeps a log entry of all updates and suggests that the Administrator install these updates manually.

Conclusion

What you have learned

By using the procedures and files presented in this technical article, you can implement a Windows Update Servicing with Write Filter (WUS-WF) solution for File-Based Write Filter (FBWF) and Enhanced Write Filter (EWF) enabled Windows Embedded Standard 7 images.

This document is provided “as-is” without support. Information and views expressed in this document may change without notice. You bear the risk of using it. This user manual is for information purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED IN THIS DOCUMENT.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. This document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement.

© 2010 Microsoft Corporation. All rights reserved.